Endpoint Protection

Hi,

I have installed Symantec Endpoint Protection MR4 MP2 for about 3 weeks. It is fresh install. I have a few remote offices. The remote connection is VPN. For server SEP install, I only install AV/AS. For Client, I install AV/AS and Device control. Since I installed SEP, our remote office connection become very slow on every Monday morning for about 2 hours. The connection is very slow, you barely can do anyhting for remote site. The ping time will be up to 900 high. After about 2 hours, the connection become normal. It drop to 20-40. It only happen on Monday. My weekly full scan is on each Friday. For server weekly full scan is on Sunday. Except this issue, everything is fine. Virus Definition update is very in time.

Yesterday (Monday) morning, I called Symantec second time. They have me remove NTP from one client for testing. After remove NTP, the connection is still slow. (I pinged remote host from that pc without NTP) So the Symantec technician said this issue is not caused by SEP. I doubt.

Anyone have same issue? Any suggestion?

Thanks.

How are the clients in remote site getting the updates?
Have you set up GUP or they are taking it directly from SEPM Manager.
SetUp Group Update Provider (GUP) for each remote site so that only GUP will take updates from SEPM and then it will locally distribute the definitions in its local LAN.

Symantec Endpoint Protection 11.0 Group Update Provider (GUP)
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/184f7ebb04cd173480257363006d2beb?OpenDocument

Please post the screenshot of the Task Manager, descending on the cpu usage. Let's see if SEP is the problem.

What is the communication settings in the SEPM. if it is push make it pull and the uncheck the network drive scanning

All clients update virus definition from SEPM Manager including local and remote. We don't setup GUP because each remote office only have 10-15 clients. I have 4 remote offices.

The communication settings is pull mode. (default is push mode. At my first time calling Symantec, they told me to change to pull mode to see if it can solve this issue) The heartbeat Interval I already change to 4 hours. On this Monday, the heartbeat interval is 30 min.

For network drive scanning, I have checked all groups. It is "Uncheck". I mean the Network Settings under the File System Auto-Protect.

The Task Manager , I cannot paste to the edit box. I right-click here, the Paste is gray. But right now the cpu usage is 0-2%. Next time, I willl check CPU usage.

I want to make sure if this is caused by SEP or because network bandwidth over utilization.

Using GUP will save some bandwidth as all 10-15 wont be downloading updates at once only one of the 10-15 client will download the definition. 

In the setup, go to Admin tab, then servers (lower right) then highlight your site.
Choose edit site properties. A box willpop up.
Choose the Liveupdate tab.
Under disk space management for downloads, change the setting to 12, (I also choose store client packages unzipped but that's another matter)
Setting it to 12 means that you don't have to push the WHOLE defs updates to all clients across the WAN each monday AM, only the deltas....... saves a ton of bandwidth.
This number means it will save all weekend's updates on the server and can give just deltas or the changes, not the entire file of about a bazillion terabytes.
We have ALL 40 offices come back here for their defs updates from our two servers here. That's a couple hundres computers in 40 locations, varying from 2 or 3 to 20 in each office. No problems. 

Thanks. I'll try it and let you know the result.

ShadowsPapa,

I cheked the setting for the disk space management for downloads. It is 3 now. It should be the default settings. Do I still need to change to 12? I think lage number means more download.

another question:
Onthe same page, there is an item - Content type to download. It select all type. Di I need all the type?

Thanks

Hello,

I think Shadow papas solution will help you if your machines in the remote sites are turned off during the weekend but if they are not turned off then configure the GUP on your remote site that should definitely help you.
 

No shadows answer is right. The default is set to three, which for the vast majority of people this works. However since you are connecting via VPN to remote sites then you should probably set this higher. How it works is this. By default, SEPM is configured to keep only 3 revision. The liveupdate on SEPM will run every 4 hours by default. This means the SEPM will download atleast 2 revision in one day.The next day SEPM will download the 3rd revision. If any client checks in after 2 days, the client''s definition(revision) will not match with any revision stored in SEPM, hence the full content will be sent to the client. SEPM will consider the client's definition(revision) to be older than all of its revision stored and it will give the full content. So since each full definition is around 50 mb this correlates to massive amount of data flowing around your network. So in order to keep from downloading the full definitions come monday morning (after no connection to the SEPM for more than a couple days) you should set the "Number of content revisions to keep" higher. Shadows suggestion of 12 is good.

So to summerize more updates does not correlate to more bandwidth. You just need to not pass around the full definition each monday. However Please note that increasing the above setting will directly effect the hard drive space as more number of content revision will be stored in <Root>:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\content. It will not be a dramatic increase since you are only setting it to twelve. But it should be noted so someone doesn't set it to like 200 or something crazy like that. Hopefully this helps.

Cheers,
Grant

I had exactly the same problem every Monday morning over our WAN links, even the 100Mb to our largest remote site - totally saturated by SEP updates.  

Increasing the revisions as ShadowsPapa suggested cured our problem.  Note though, that if you have shutdown holidays (Christmas, Bank Holidays, etc) then you will have the same problem. We get around this by decreasing the LiveUpdate frequency on holidays to daily and settings the revisions to 25.

I've now setup a GUP at the largest remote site which means that expensive 100Mb link is being used for what it was intended and not just replicating updates.

I already chenged to 12. We will see next Monday. My client generally will turn off their pc on weekend. If this not work, I will try GUP.

Thanks a lot.

In some cases I've found 12 isn't enough. It depends on what time of day they shut down and restart. If they are like many of us who leave at noon friday, then they've missed at least 1 more update, same for those who can't wake up Monday morning and come in at noon.
I've seen some need to set to 14 for best results.
Experiment, tweak, whatever....................
My issue with GUP in our environment, any computer in the field I choose for the GUP "server" will invariably be the one that blows up or someone shuts down for a week "because no one was using it".
We've been just fine without it in our small offices. To me, I'd need to see more than 15 users and have tried everything else first. I just as soon have fewer things to watch over, assign and make sure someone didn't turn off.
That  is why we recently PULLED 11 field file servers. Too much of a pain in the rear to keep up that sort of structure.
LEan and simple is good, in my opinion.
Good luck, and do try 14 if 12 isn't quite good.

I think Shadows's way is working. I have changed to 14 last week and this morning  (Monday) the wan connection and server cpu usage is normal. It solves a big issue for me. Thanks again.

I just feel strange when I called Symantec for help and open a case no. Their technisian just want to approve my issue was caused by our WAN connection problem. They have me do the tracert to approve the issue cause. Actually it is not. I am very sure this issue happened after I install Endpoint. I actually talked to our network vendor, they cannot find any problem with their line. So what else I can say!

In any SEP environment you really need to change the number of revisions SEP is storing.
The default of 3 revisions is pretty ridiculous when you consider the SEP manager by default connects to the internet for updates every 4 hours.
So, if it gets 3 definition updates then your SEP manager only has 1 day worth of definitions to send to clients.

If any SEP client is more than 1 day out of date it will have to download approx. 50Mb from the SEP manager.
Obviously this is not ideal and even less so when you are talking about WAN links, or just large deployments.

If you can afford the disk space make this as large as possible.
I usually go for at least 20 days worth of revisions as I only have SEP on well specced servers with loads of hard drive space.
Although then the SEP database starts getting very large.

Tune to your requirements.
At least we can tune unlike in SAV where once clients were 10 days out of date there where no more microdefs.

cheers

Z

You actually make a good point zer0, and I hope this gets "fixed" soon. It is not really a problem, but I think there should at least enough revisions to last through a 3-day holiday weekend. With hard drives getting bigger and bigger the trade off with the disk space is not much of an issue anymore. I think enough for three days should be the default and if people need the disk space they can lower it. You should suggest this as an Idea in our ideas section, and maybe provide the link back to this thread when/if you do so people get an idea of what problems it can cause with just the three revisions.

Cheers
Grant-